public static function modules() { $session = UserSession::get(); if ($session) { $user = $session->user(); if (!Acl::isAllowed($user->username, 'admin')) { return null; } } else { return null; } CoOrg::loadPluginInfo('admin'); $modules = array(); foreach (self::$_modules as $m) { if ($m->isAllowed($user)) { $modules[] = $m; } } usort($modules, array('Admin', 'cmpModule')); return $modules; }
public function in($what, $key) { if ($this->_allowed !== null) return; if ($what == 'allow') { $this->_onlyDenied = false; if ($key[0] == ':') // Pseudo key { if ($key == ':loggedIn') { if (UserSession::get() != null) { $this->_allowed = true; } } } else { if ($u = UserSession::get()) { if (Acl::isAllowed(UserSession::get()->username, $key)) { $this->_allowed = true; } } } } else if ($what == 'deny') { if ($key[0] == ':') // Pseudo key { if ($key == ':anonymous') { if (UserSession::get() == null) { $this->_allowed = false; } } } else { if (Acl::isAllowed(UserSession::get()->username, $key)) { $this->_allowed = false; } } } else if ($what == 'owns') { if ($this->_allowed !== null) return; $this->_onlyDenied = false; if (UserSession::get()) { $this->_allowed = Acl::owns(UserSession::get()->username, $key) ? true : $this->_allowed; } } }
/** * A basic functional package test example * * @return void */ public function testBasicPackage() { // Acl package simple test Acl::setup(Config::get('acl::acl')); $this->assertFalse(Acl::isAllowed(array('guest'), 'admin_panel')); $this->assertFalse(Acl::isAllowed(array('user'), 'admin_panel')); $this->assertTrue(Acl::isAllowed(array('admin'), 'admin_panel')); // Here we could test other package facades for its basic functionalities... }
public function run($widgetParams, $orient, $request) { if (UserSession::get() && Acl::isAllowed(UserSession::get()->username, 'admin')) { if (substr($request, 0, strpos($request, '/')) == 'admin') { $this->menu = Admin::modules(); } else { $this->menu = array(new FakeAdminModule); } return $this->render('widgets/admin-menu'); } }
public function testGroup() { $group = new UserGroup('Webmasters'); $group->save(); $group->grant('someGrant'); $this->assertFalse(Acl::isAllowed('dvorak', 'someGrant')); $group->add('dvorak'); $this->assertTrue(Acl::isAllowed('dvorak', 'someGrant')); $group = new UserGroup('BadGroup'); $group->save(); $group->revoke('someGrant'); $group->add('dvorak'); $this->assertTrue(Acl::isAllowed('dvorak', 'someGrant')); // Even if dvorak is in a group that has no right he is allowed }
/** * @param array Array of roles */ public function __construct($roles) { $resources = dibi::fetchAll('SELECT key_name, name FROM [' . TABLE_RESOURCES . '] ORDER BY name;'); $privileges = dibi::fetchAll('SELECT key_name, name FROM [' . TABLE_PRIVILEGES . '] ORDER BY name;'); $acl = new Acl(); $i = 0; foreach ($resources as $res) { foreach ($privileges as $pri) { foreach ($roles as $role) { if ($acl->isAllowed($role->key_name, $res->key_name, $pri->key_name)) { $this->access[$i]['resource'] = $res->name; $this->access[$i]['privileg'] = $pri->name; $i++; break 1; } } } } }
/** * @param array Array of roles */ public function __construct($roles) { $resources = dibi::fetchAll('SELECT key_name, name FROM [' . self::ACL_RESOURCES_TABLE . '] ORDER BY name;'); $privileges = dibi::fetchAll('SELECT key_name, name FROM [' . self::ACL_PRIVILEGES_TABLE . '] ORDER BY name;'); $acl = new Acl(); $i = 0; foreach ($resources as $res) { foreach ($privileges as $pri) { foreach ($roles as $role) { if (@$acl->isAllowed($role->key_name, $res->key_name, $pri->key_name)) { // @ to repress NOTICE if assertion required and resource property (id, owner_id, ...) not set yet $this->access[$i]['resource'] = $res->name; $this->access[$i]['privileg'] = $pri->name; $i++; break 1; } } } } }
/** * Returns controller name read from mvc_controller URL parameter * (POST has precedence over GET). If mvc_controller is not given, * falls back to default controller. * * @param Request $request * @return null * @todo currently only cares about first role. Make work for array of roles. */ public function getControllerName(Request $request) { // Fallback: route to default controller and action. $controllerName = $this->defaultControllerName; // GET parameter overrides the default controller. if ($request->hasGet('mvc_controller')) { $controllerName = $request->get('mvc_controller'); } // POST parameter overrides GET parameter. if ($request->hasPost('mvc_controller')) { $controllerName = $request->post('mvc_controller'); } $roles = $this->authenticationAdapter->getRoles(); $role = $roles[0]; // If that controller is not allowed, select authentication controller. if (!$this->acl->isAllowed($role, $controllerName)) { $controllerName = $this->authenticationControllerName; } // @todo remember selected controller & action to back-direct later // @todo either redirect to auth controller (for anonymous) OR FAIL? return $controllerName; }
public function isAllowed($user) { return Acl::isAllowed($user->username, 'admin-user'); }
// Always return Not found response for banned user! throw new DomainException('acl.banned'); } }); Route::filter('can_login', function () { if (!Acl::isAllowed(Session::get('roles'), 'login')) { return Redirect::to('/')->with('message', 'acl.login'); } }); Route::filter('can_register', function () { if (!Acl::isAllowed(Session::get('roles'), 'register')) { return Redirect::to('/error')->with('error', 'acl.register'); } }); Route::filter('can_access_admin_panel', function () { if (!Acl::isAllowed(Session::get('roles'), 'admin_panel')) { if (Auth::check()) { return Redirect::to('/error')->with('error', 'acl.insufficient'); } else { return Redirect::to('/auth/login')->with('error', 'acl.insufficient'); } } }); /* ************************************************ * Forum Filters * * * ************************************************ */ /** * | Saas forum filter to determine whether or not a user has the proper groups,
public function owns($user, $blog) { return ($blog->authorID == $user || Acl::isAllowed($user, 'blog-admin')); }
public function isAllowed($user) { return Acl::isAllowed($user->username, 'blog-moderator'); }